Soundness of Symbolic Equivalence for Modular Exponentiation

In this paper, we study the Dynamic Decisional Diffie-Hellman (3DH) problem, a powerful generalization of the Decisional Diffie-Hellman (DDH) problem. Our main result is that DDH implies 3DH. This result leads to significantly simpler proofs for protocols by relying directly on the more general problem. Our second contribution is a computationally sound symbolic technique for reasoning about protocols that use symmetric encryption and modular exponentiation. We show how to apply our results in the case of the Burmester & Desmedt protocol

Implementing a Unification Algorithm for Protocol Analysis with XOR

In this paper, we propose a unification algorithm for the theory $E$ which combines unification algorithms for E\_{\std} and E\_{\ACUN} (ACUN properties, like XOR) but compared to the more general combination methods uses specific properties of the equational theories for further optimizations. Our optimizations drastically reduce the number of non-deterministic choices, in particular those for variable identification and linear orderings. This is important for reducing both the runtime of the unification algorithm and the number of unifiers in the complete set of unifiers. We emphasize that obtaining a ``small'' set of unifiers is essential for the efficiency of the constraint solving procedure within which the unification algorithm is used. The method is implemented in the CL-Atse tool for security protocol analysis

Hierarchical combination of intruder theories

International audienceRecently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for non-disjoint intruder theories and to show decidability results for the deduction problem in these theories. We have also shown that under natural hypotheses hierarchical intruder constraints can be decided. This result applies to an exponentiation theory that appears to be more general than the one considered before

Hierarchical Combination of Intruder Theories

Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for intruder theories and to show decidability results for the deduction problem in these theories. Under a simple hypothesis, we were able to simplify this deduction problem. This simplification is then applied to prove the decidability of constraint systems w.r.t. an intruder relying on exponentiation theory.

Symbolic Proofs for Lattice-Based Cryptography

International audienceSymbolic methods have been used extensively for proving security of cryptographic protocols in the Dolev-Yao model, and more recently for proving security of cryptographic primitives and constructions in the computational model. However, existing methods for proving security of cryptographic constructions in the computational model often require significant expertise and interaction, or are fairly limited in scope and expressivity. This paper introduces a symbolic approach for proving security of cryptographic constructions based on the Learning With Errors assumption (Regev, STOC 2005). Such constructions are instances of lattice-based cryptography and are extremely important due to their potential role in post-quantum cryptography. Following (Barthe, Grégoire and Schmidt, CCS 2015), our approach combines a computational logic and deducibility problems-a standard tool for representing the adversary's knowledge, the Dolev-Yao model. The computational logic is used to capture (indistinguishability-based) security notions and drive the security proofs whereas deducibility problems are used as side-conditions to control that rules of the logic are applied correctly. We then use AutoLWE, an implementation of the logic, to deliver very short or even automatic proofs of several emblematic constructions, including CPA-PKE (Gentry et al., STOC 2008), (Hierarchical) Identity-Based Encryption (Agrawal et al. Eurocrypt 2010), Inner Product Encryption (Agrawal et al. Asiacrypt 2011), CCA-PKE (Micciancio et al., Eurocrypt 2012). The main technical novelty beyond AutoLWE is a set of (semi-)decision procedures for deducibility problems, using extensions of Gröbner basis computations for subalgebras in the (non-)commutative setting (instead of ideals in the commutative setting). Our procedures cover the theory of matrices, which is required for lattice-based assumption, as well as the theory of non-commutative rings, fields, and Diffie-Hellman exponentiation, in its standard, bilinear and mul-tilinear forms. Additionally, AutoLWE supports oracle-relative assumptions , which are used specifically to apply (advanced forms of) the Leftover Hash Lemma, an information-theoretical tool widely used in lattice-based proofs

Symbolic Verification of Computational Security for Branching-Time Properties

Two different models for security of cryptographic protocols have been developed: Symbolic security is an abstract notion which can often be verified automatically. Computational security is defined in a realistic concurrent model against arbitrary, randomized polynomial-time attacks. A recent research trend is to prove that often, these security notions coincide, thereby transferring the decidability results from the abstract setting into the more realistic computational model. Previous results in this area are only concerned with trace properties, i.e., security goals that can be characterized as properties of single protocol runs. We prove the first equivalence result for a more complex class of goals, which include balance for contract signing protocols. Our result shows that computational security for these protocols can be verified automatically. The proof relies on a careful "derandomization" of realistic attacks